The federal and Alberta privacy commissioners have jointly issued a report criticizing certain retail industry companies for failing to implement adequate security safeguards for customer information, resulting in privacy breaches. The commissioners were particularly concerned that the companies had (i) collected too much personal information that was not required for business purposes, (ii) used retention periods that were too long, and (iii) relied on weak encryption technology. In addition to being a good example of the need for appropriate security standards, the following case is also a caution against collecting more information than is necessary for transactions and retaining the information indefinitely.

In January 2007, TJX Companies, Inc., the parent company to Winners Merchants Inc. and HomeSense in Canada, issued a press release to announce that it had suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. The company stated that the intrusion involved the portion of TJX’s computer network that handled credit card, debit card, cheque and merchandise return transactions for customers. The company had alerted law enforcement authorities of the crime, and with the authorities’ agreement, had notified its contracting banks, credit card, debit card and cheque processing companies of the suspected intrusion.

Later that month, the Privacy Commissioner of Canada and the Information and Privacy Commissioner of Alberta announced that they would jointly investigate the database breach and how it affected Canadians who shopped at Winners and HomeSense. The joint report was issued in September 2007.

The commissioners stated that the breach involved millions of credit and debit card numbers, as well as other personal information such as driver’s licence numbers and addresses collected when customers returned merchandise without receipts. TJX believed that the intruder initially gained access to customer information via the wireless local area networks at two of its stores in the United States and the information was stolen from mid-2005 through December 2006.

The commissioners’ investigation found that:

  • TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected;
  • the company failed to act quickly in converting from a weak encryption standard to a stronger standard;
  • TJX did not meet its duty to monitor its computer systems vigorously; and.
  • the company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The companies collected driver’s licence and other identification numbers when unreceipted merchandise was returned as part of a fraud prevention process. While the commissioners agreed that the collection of some personal information from customers is acceptable when merchandise is returned without a receipt (including name and address), the collection of driver’s licence numbers was found to not be reasonable in the circumstances.

The company had confirmed that the refund-management system could operate with any unique numeric identifier, and did not require a driver’s licence or other provincial identification number. The commissioners suggested that a driver’s licence number was not intended to be an identifier for conducting analysis of shopping return habits, particularly as this number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information.

In addition, these key numbers were retained indefinitely. The commissioners felt this was inappropriate and stated that "organizations should collect only the minimum amount of information necessary for the stated purposes and retain it only for as long as necessary, while keeping it secure." However, the commissioners ultimately accepted the proposal by the companies to temporarily keep driver’s licence information but convert it to a new ‘hash value’ number that would render the actual driver’s licence numbers unreadable.

The commissioners urged companies to be vigilant when safeguarding their information. More sensitive information should be safeguarded by a higher level of protection, which could include physical measures, such as locked filing cabinets and restricted office access; organizational measures, such as security clearances and "need to know" access; and technological measures, such as passwords and encryption. The commissioners emphasized that "once in place, security measures must be actively monitored, audited, tested and updated when necessary."

After the release of the joint report, Winners and HomeSense announced that while the companies disagreed with many of the commissioners’ factual findings and legal conclusions, they had chosen to implement the commissioners’ recommendations, and had already implemented most of them. TJX advised the commissioners that it would convert the driver’s licence number obtained as part of its returns policy into a unique identifying number when keyed into the point-of-sale system. The companies also plan to outfit all of their stores with new chip and PIN-capable pads and "expect to be among the first major Canadian retailers fully ready to accept the new, more secure chip and PIN payment cards."

Prior to the release of the commissioners’ report, TJX had announced a proposed settlement of the customer class actions arising from the intrusions. The settlement is subject to court approval and other conditions.